Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
tomcatApache TomcatTOMCAT:DB944B118F9B26AA34A993C1D9DF505F
HistoryOct 24, 2013 - 12:00 a.m.

Fixed in Apache Tomcat 7.0.47

2013-10-2400:00:00
Apache Tomcat
tomcat.apache.org
8

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.972 High

EPSS

Percentile

99.8%

JSON

Note: The issue below was fixed in Apache Tomcat 7.0.43 but the release votes for 7.0.43 to 7.0.46 did not pass. Therefore, although users must download 7.0.47 to obtain a version that includes a fix for this issue, versions 7.0.43 to 7.0.46 are not included in the list of affected versions.

Important: Information disclosure CVE-2013-4286

The fix for CVE-2005-2090 was not complete. It did not cover the following cases:

  • content-length header with chunked encoding over any HTTP connector
  • multiple content-length headers over any AJP connector

Requests with multiple content-length headers or with a content-length header when chunked encoding is being used should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain either multiple content-length headers or a content-length header when chunked encoding is being used and several components do not reject the request and make different decisions as to which content-length header to use an attacker can poison a web-cache, perform an XSS attack and obtain sensitive information from requests other then their own. Tomcat now rejects requests with multiple content-length headers or with a content-length header when chunked encoding is being used.

This was fixed in revision 1521854.

This issue was identified by the Apache Tomcat security team on 15 August 2013 and made public on 25 February 2014.

Affects: 7.0.0 to 7.0.42

CPENameOperatorVersion
apache tomcatge7.0.0
apache tomcatle7.0.42

Related

seebug 3
securityvulns 6
debiancve 1
tomcat 5
cve 3
ubuntucve 1
github 2
veracode 3
osv 5
prion 2
nessus 41
cert 1
f5 2
redhat 21
ibm 17
openvas 31
freebsd 1
mageia 2
oraclelinux 4
fedora 3
vmware 2
centos 2
ubuntu 1
amazon 1
debian 3
gentoo 1
oracle 5
seebug
seebug
Apache Tomcat 安全限制绕过漏洞
2014-02-26 00:00:00
Apache Tomcat不完整修复信息泄漏漏洞
2014-02-27 00:00:00
Mac OS X 2007-007更新修复多个安全漏洞
2007-08-02 00:00:00
securityvulns
securityvulns
[SECURITY] CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure)
2014-02-28 00:00:00
Apache Tomcat multiple security vulnerabilities
2014-03-31 00:00:00
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)
2009-01-28 00:00:00
debiancve
debiancve
CVE-2013-4286
2014-02-26 14:55:00
tomcat
tomcat
Fixed in Apache Tomcat 8.0.0-RC3
2013-09-23 00:00:00
Fixed in Apache Tomcat 5.5.23, 5.0.SVN
2007-03-09 00:00:00
Fixed in Apache Tomcat 6.0.39
2014-01-31 00:00:00
cve
cve
CVE-2013-4286
2014-02-26 14:55:00
CVE-2005-2090
2005-07-05 04:00:00
CVE-2014-4286
2014-06-18 21:55:00
ubuntucve
ubuntucve
CVE-2013-4286
2014-02-26 00:00:00
github
github
Apache Tomcat is vulnerable to HTTP request-smuggling
2022-05-14 01:10:36
Tomcat Vulnerable to Web Cache Poisoning
2022-05-01 02:04:54
veracode
veracode
Request-smuggling Attacks
2019-01-15 08:59:20
HTTP Request Smuggling
2018-11-13 06:55:19
Authorization Bypass
2019-05-02 05:02:08
osv
osv
Apache Tomcat is vulnerable to HTTP request-smuggling
2022-05-14 01:10:36
Tomcat Vulnerable to Web Cache Poisoning
2022-05-01 02:04:54
tomcat6 - security update
2014-11-23 00:00:00
prion
prion
Design/Logic Flaw
2014-02-26 14:55:00
Design/Logic Flaw
2014-06-18 21:55:00
nessus
nessus
RHEL 5 : JBoss EAP (RHSA-2014:0343)
2014-04-01 00:00:00
Apache Tomcat 5.0.x <= 5.0.30 / 5.5.x < 5.5.23 Content-Length HTTP Request Smuggling
2011-11-18 00:00:00
Apache Tomcat 7.0.x < 7.0.47 / 8.0.x < 8.0.0-RC3 Information Disclosure
2019-01-11 00:00:00
cert
cert
Single crafted HTTP request may result in multiple responses
2005-02-04 00:00:00
f5
f5
SOL16828 - Apache Tomcat vulnerability CVE-2005-2090
2015-07-02 00:00:00
K16828 : Apache Tomcat vulnerability CVE-2005-2090
2015-07-02 00:00:00
redhat
redhat
(RHSA-2014:0458) Moderate: Red Hat JBoss Data Virtualization 6.0.0 security update
2014-04-30 18:58:00
(RHSA-2014:0374) Important: Red Hat JBoss Data Grid 6.2.1 update
2014-04-03 21:51:02
(RHSA-2014:0511) Important: Red Hat JBoss Operations Network 3.2.1 security update
2014-05-15 17:17:17
ibm
ibm
Security Bulletin: Open Source Apache Tomcat - 4 issues (CVE-2013-4286) for RAF
2018-06-17 04:55:52
Security Bulletin: Rational Build Forge Security Advisory (CVE-2013-4286)
2018-06-17 04:53:14
Security Bulletin: Security vulnerabilities in Apache Tomcat for WebSphere Application Server Community Edition 2.1.1.6 and 3.0.0.4(CVE-2013-4286,CVE-2012-3544,CVE-2013-4322,CVE-2013-4590,CVE-2014-0033)
2018-06-15 07:01:06
openvas
openvas
Apache Tomcat Multiple Vulnerabilities - 01 (Mar 2014)
2014-03-25 00:00:00
FreeBSD Ports: apache-tomcat
2008-09-04 00:00:00
FreeBSD Ports: apache-tomcat
2008-09-04 00:00:00
freebsd
freebsd
tomcat -- multiple vulnerabilities
2007-04-27 00:00:00
mageia
mageia
Updated tomcat package fixes security vulnerabilities
2014-04-03 04:16:05
Updated tomcat package fixes security vulnerabilities
2014-04-03 04:16:05
oraclelinux
oraclelinux
tomcat6 security update
2014-04-23 00:00:00
Important: tomcat security update
2007-06-26 00:00:00
tomcat security update
2014-07-20 00:00:00
fedora
fedora
[SECURITY] Fedora 20 Update: tomcat-7.0.52-1.fc20
2014-09-26 09:02:42
[SECURITY] Fedora 19 Update: Pound-2.6-8.fc19
2014-11-07 02:38:03
[SECURITY] Fedora 20 Update: Pound-2.6-8.fc20
2014-11-12 02:45:18
vmware
vmware
Updated Tomcat and Java JRE packages for VirtualCenter 2.5, VirtualCenter 2.0.2, ESX 3.5, ESX 3.0.2, and ESX 3.0.1.
2008-01-07 00:00:00
Updated Tomcat and Java JRE packages for VirtualCenter 2.5, VirtualCenter 2.0.2, ESX 3.5, ESX 3.0.2, and ESX 3.0.1.
2008-01-07 00:00:00
centos
centos
jakarta, tomcat5 security update
2007-05-14 22:49:09
tomcat6 security update
2014-04-23 19:07:14
ubuntu
ubuntu
Tomcat vulnerabilities
2014-03-06 00:00:00
amazon
amazon
Medium: tomcat6
2014-05-21 10:45:00
debian
debian
[SECURITY] [DSA 2897-1] tomcat7 security update
2014-04-08 18:25:14
[SECURITY] [DLA 91-1] tomcat6 security update
2014-11-23 09:02:25
[SECURITY] [DSA 3530-1] tomcat6 security update
2016-03-25 18:47:56
gentoo
gentoo
Apache Tomcat: Multiple vulnerabilities
2014-12-15 00:00:00
oracle
oracle
Oracle Critical Patch Update - April 2015
2015-04-14 00:00:00
Oracle Critical Patch Update - July 2014
2014-07-15 00:00:00
Oracle Critical Patch Update - October 2014
2014-10-14 00:00:00

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.972 High

EPSS

Percentile

99.8%

JSON
Related for TOMCAT:DB944B118F9B26AA34A993C1D9DF505F
seebug3securityvulns6debiancve1tomcat5cve3ubuntucve1github2veracode3osv5prion2nessus41cert1f52redhat21ibm17openvas31freebsd1mageia2oraclelinux4fedora3vmware2centos2ubuntu1amazon1debian3gentoo1oracle5